More on changes to HIPAA enforcement

David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group, outlined the new process for attendees at the recent Healthcare Stimulus Exchange conference in Chicago. He also explained how new HITECH-mandated HIPAA regulations still under construction will define the process further.

Though the HITECH Act expanded and strengthened HIPAA rules, the legislation left it up to Mayer and his colleagues to pen stronger regulations for business associate liability; for the sale of protected health information, marketing and fundraising communications; and for strengthening the patient's rights to access electronic medical records and restrict the disclosure of certain information.

How the OCR investigates HIPAA violations

The federal Office for Civil Rights is complaint-driven, with nearly all its HIPAA enforcement actions conducted in response to patient filings, said David Mayer, the OCR's acting senior adviser for the health information privacy, compliance and enforcement group.

The office discards about half of the complaints it receives because of jurisdictional issues -- for example, because the complaint does not refer to a HIPAA-covered entity, or a covered entity's actions are actually permitted under the law. In three out of four investigations of HIPAA violations, however, the OCR sides with the patient, ruling that a data breach or other prohibited information disclosure has occurred. The covered entity thus is forced to take corrective action.

Typically, corrective action takes the form of an informal resolution, which involves setting up monitoring procedures, revising privacy policies or making other behavioral changes that will prevent a recurrence. The settlement may include a fine.

In informal resolutions, the OCR does not find the provider to be in violation of HIPAA rules, and the provider does not admit guilt. Formal resolutions, however, could include fines, court proceedings and formal findings of HIPAA violations. Cooperating with the investigator can influence the outcome when it comes time for OCR to determine how to deal with a HIPAA violation. In fact, Mayer said, some investigations have resulted in penalties against a covered entity even though no HIPAA violations occurred, because the entity stonewalled investigators or otherwise "didn't play nice." -- D.F.

Interim final rules on data breach notification and HIPAA enforcement are in effect already. Those will give way to permanent regulations, which will first appear in a notice of proposed rulemaking that could be out as soon as July 9, Mayer said. The proposed rule will give the health care sector its first look at how OCR will handle HIPAA enforcement in the era of the HITECH Act.

The HITECH Act also empowers state attorneys general to file HIPAA cases against HIPAA-covered entities. The OCR will be training state officials in HIPAA enforcement soon, probably before year's end. "OCR worries that the attorneys general will not get it right," Mayer said.

Amy Leopard, a partner at the Cleveland law firm Walter & Haverfield LLP, and Mayer's co-presenter, said new willful-neglect clauses in the HIPAA rules as updated by the HITECH Act should spur health care providers to pay closer attention to HIPAA, because they are on the hook for institutional shirking of privacy rules, now more than ever. Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them.

"It's evolving. It's going to be like this for the next couple of years," Leopard said about the evolving rules, as well as HIPAA enforcement strategies now in their infancy. "What we do know is that the bar is going to continue to be raised."

Encryption not only makes a breach less likely to happen, it also serves as a safe harbor, Leopard noted. Under the HITECH Act, no HIPAA violations occur and no data breach notifications are required when encrypted data is lost, because thieves cannot access the information. Many hospitals, she said, now are requiring all business associates to use encryption, too.

Regularly training employees in an organization's HIPAA policies represents another strong step, Mayer said. He suggested that CIOs, following the lead of privacy policymakers and enforcers, build strong institutional HIPAA compliance. CIOs must understand the actions policymakers are taking, whom they are reporting to, and how quickly they respond to complaints. Automated audit trails help prove institutional due diligence, Mayer said, as long as a human is monitoring them at some point in the workflow.

Entrusting HIPAA compliance either to people or to technology -- but not to both -- can lead to problems, Mayer said. "Your IT people and your privacy people need to work together," he said. "As the world goes electronic, the two sides of the house have to talk to each other. Unless there's some meeting of the minds, the program is not going to be successful."

Ultimately, putting in place a program with clear training policies and administrative procedures can help an entity save face in the case of what Mayer deemed the toughest type of HIPAA violation to prevent and control -- a data breach deliberately caused by a rogue employee.

"It makes a huge difference in the kind of corrective action we will require, if in fact all of those things are in place and this truly was a rogue employee," Mayer said.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy